Business Continuity Part 7
Chapter 4 – Exercise Plans and After-Action Reports
Well, this feels a bit like saying, “Goodbye!” to an old friend. It’s hard to believe we are seven weeks into this BCP series. Hopefully, at least, when you decide to tackle this for your organization this effort will help you develop an effective business continuity plan.
Part 7 covers exercising (working out) your plans and documenting the good, the bad, and the ugly…also known as the After-Action Report (AAR). Anyone who has followed my posts for a while should expect Clint Eastwood films to show up from time to time, especially the Westerns. Okay, where were we? Finding the weak points in our plan is a success if we can incorporate our learning into making the plan better. Since we are now nearly 82% complete according to the Business Continuity Plan Generator, let’s wrap things up in this final session.
4.1 Business Continuity Plan Exercise Methodology
Borrowing straight from the app, we find four methods that can be sued to validate our plan:
- Tabletop Exercise – key personnel discussing simulated scenarios in an informal setting.
- Functional Exercise – simulates the reality of operations in a functional area by presenting complex and realistic problems.
- Full Scale Exercise – real operations in multiple functional areas present complex and realistic problems that require critical thinking, rapid problem solving, and effective responses by trained personnel.
- Drill – coordinated, supervised activity usually used to test a single specific operation or function.
Starting out, the Tabletop method will be the easier to implement. The goal should be to increase the cadence and rigor of your tests over time. You will want to mix up scenarios and test different department functions and roles under a variety of conditions. Be sure to schedule this with your IT and other supporting vendors or partners, if necessary, to ensure full participation. Our vendor for BCDR backups and cloud virtualization want advanced notice of the drill although, if pressed, they do accommodate “spinning up” the virtual servers in the cloud environment with short notice if it comes to that. Maybe that’s a better measure of their true capabilities (hint, hint)?
4.2 Exercise Objectives
This section documents the desired objectives of your test. And these goals should be SMART:
Further, per the Plan Generator guidance, you want your objects, at a minimum, to accomplish the following:
- Determine the state of readiness of your BCP by creating a learning environment for all participants to learn about the plan.
- Validate the BCP resource lists — people and inventories are sufficient to effect recovery of business operations and/or IT services as appropriate. Document changes and updates (including omissions) to the BCP.
- Verify the information in the BCP is current and accurately reflects the organization’s requirements.
There is a table to enter these or other objectives to document what we expect to get out of our AARs. Additional guidance is given to have separate tests for the IT staff and assessing technical capabilities and another for the end-users who will not benefit from being in the middle of a technical drill.
Section 4.2 also outlines a timeline of tasks occurring as early as 90 days prior to the test and covers post-exercise steps. Something like a Tabletop review will be much less formal.
4.3 Developing the Exercise Scenario
Here is where we develop actual testing scenarios. A fun way to do this might be to write up many different scenarios ahead of time and then pick one at random for the test. You will want these to be somewhat within the realm of possibility and not always going for the Black Swan event like “An asteroid hit the city and there is no human life left within 100 miles of the crater.” While exciting to discuss, the AAR is likely to be brief with little actionable takeaways.
4.4 Exercise Evaluation
The written evaluation of an exercise is most commonly referred to as the After-Action Report (AAR). This section provides a template for how the report should be written. The key to a successful test is to have clear (read: SMART) objectives, a rigorous testing scenario, and document every minute detail that could be useful to inform what went to plan and what things need additional work. The goal should be to learn something actionable, otherwise the inputs to the test likely need adjusting, ie: scope, depth, and rigor. If, despite raising the bar each time, you are not finding failure points, it just might be a sign your business continuity capabilities are robust and hold up under pressure. But I would be skeptical of this notion, at least.
Decide who should be copied on the AARs and distribute the report accordingly. If there are action steps coming from the AAR, be sure you define “who, does what, and by when”. And that needs to be a person accountable to the task, even if this involves delegating to others. The adage remains true, “If everyone is responsible, no one is.”
4.5 Exercise Reports
Last, but not least, section 4.5 provides a table where we can record the Test Number, Date, Exercise Type, and Plan Area Exercised. A copy of each AAR associated with the documented test should be added to the electronic and physical copies of the plan.
Wrapping Up and Changing Gears
If you have followed along for the past seven articles, you have a good idea of what it takes to develop your own business continuity plan. If you have done the work through each step of the way, all the better and now pat yourself (and your team) on the back.
So what? Now what? First, do not underestimate the strategic importance of having this plan in place. It’s hard work at first but will get easier over time. And when the worst happens, the plan will pay huge dividends, possibly being the one thing that saves your company. Okay, let’s all take a deep breath before I say – But wait…there’s more! Next week we will shift gears from business continuity to disaster recovery. To build your Disaster Recovery Plan, we will leverage the second half of the tool and TCS will walk you through all of the steps just like we have done here.
Until next time, I think we should spike the football, have a victory dance, or engage in any other celebration of choice for getting to this point. Kudos from the team here at TCS! We would love to hear your success stories or help you along this journey, so don’t hesitate to give us a ring if we can help. TTFN!